Are there any security concerns with this? Is it secure to transmit private information like credit card details in such a scheme (where the information is only placed on the HTTPS iframe form, and not on the HTTP parent page)?

5 Answers
5

If only the iframe is https, the user cannot trivially see the URL it points to. Therefore, the source http page could be altered to point the iframe anywhere it wanted to. That's pretty much a game-over vulnerability that eliminates the advantages of https.

A HTTPS iframe within a page served over HTTP will not allow the user to be sure they are actually using the HTTPS connection that they expect to be, therefore this potentially allows the iframe to be hijacked in a simple attack, such as an iframe injection. This would allow password harvesting, etc. Such an attack could begin through a trojan, a virus, visiting a malicious website, among others.

Yes, while most recent browsers will properly sandbox the SSL parts, you are undermining all the functionality added to browser chrome to provide user feedback regarding the contents. I for one would not provide any sensitive information without checking the URL showing in my browser.

In addition to the possible hijacking scenarios already given, you may run into issues on IE6/7 if you point to either an HTTP or HTTPS page requiring login. Basically, the cookies from the iframe's page are expecting you to be using the same protocol (HTTP or HTTPS) and so if the page you're putting the iframe on is using HTTP instead of HTTPS, it would prevent the user from being able to log in.